Severity by source
AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:L/A:N
AV:N because attacker JS triggers cross-origin requests over the network; AC:H because nx graph must be actively running; UI:R because the developer must visit the malicious page; C:H for full project graph disclosure; I:L for limited /help injection path.
Primary rating from Vendor (GitHub_M).
CVSS VectorVendor: GitHub_M
CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:L/A:N
Lifecycle Timeline
3DescriptionCVE.org
Nx is a monorepo solution for TypeScript and polyglot codebases. From 17.0.4 until 22.7.2 and 23.0.0-beta.2, the local HTTP server started by nx graph sent Access-Control-Allow-Origin: * on every response, letting any website a developer visited read the server's responses cross-origin - including the full project graph and the output of the /help endpoint, which runs a target's configured help command. The practical impact is typically cross-origin information disclosure, but can be arbitrary command injection in rare cases. This vulnerability is fixed in 22.7.2 and 23.0.0-beta.2.
AnalysisAI
Cross-origin information disclosure in the Nx monorepo graph server (versions 17.0.4 through 22.7.1) exposes the full project dependency graph and workspace metadata to any website a developer visits while nx graph is running locally. The server unconditionally broadcasts Access-Control-Allow-Origin: *, bypassing the browser Same-Origin Policy and allowing attacker-controlled JavaScript to silently read internal project structure. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires all of the following to be true simultaneously: (1) the developer has actively invoked `nx graph` on their workstation, starting the local HTTP server - this is a development-time command absent from production, CI pipelines, and deployed infrastructure; (2) the developer visits an attacker-controlled or compromised website in the same browser session while `nx graph` is running; and (3) the attacker knows or can enumerate the local port the Nx graph server binds to. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The NVD CVSS of 5.9 (Medium) with vector AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:L/A:N accurately reflects the constrained nature of exploitation: network-reachable via browser, but high complexity (requires the developer to have `nx graph` running simultaneously with a browser visit to an attacker-controlled page) and mandatory user interaction. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker hosts a malicious webpage containing JavaScript that polls common localhost ports for the Nx graph server. A developer with `nx graph` running visits the page, and the attacker's script issues cross-origin `fetch()` calls to `http://localhost:<port>/` - the wildcard CORS header causes the browser to hand over the full response body, leaking the project graph including internal package names, dependency relationships, and target configurations. … |
| Remediation | Vendor-released patch: 22.7.2 (stable) and 23.0.0-beta.2 (beta). … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
Same weakness CWE-749 – Exposed Dangerous Method or Function
View allSame technique Command Injection
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-39831